CVE-2026-21858: n8n Input Validation flaw enables

CISO Take

CVE-2026-21858 is a CVSS 10.0 unauthenticated path traversal in n8n (versions 1.65.0–1.120.x) that lets any internet attacker read—and likely write—arbitrary files on your server through public form-based workflow endpoints. If you run n8n to orchestrate AI agents, your LLM API keys (OpenAI, Anthropic, etc.), agent configurations, and every secret on that host are fully exposed. Patch to 1.121.0 immediately; if you cannot, take n8n offline and rotate every credential the host could access.

What is the risk?

Maximum severity (CVSS 10.0): network-accessible, zero authentication, zero user interaction, scope change to host OS. Exploitability is trivial—form endpoints are public by design and path traversal requires no AI/ML knowledge. For AI-integrated deployments, the blast radius extends well beyond n8n itself: LLM API keys, vector database credentials, RAG connection strings, and agent system prompts embedded in environment files or config directories are all at risk. A public third-party PoC and exploit write-up (Cyera) exist, meaning active exploitation is likely imminent if not already occurring. No CISA KEV listing yet, but expect one shortly given the exploit availability and CVSS score.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	—	No patch
193.4K OpenSSF 6.6 Pushed 3d ago 54% patched ~7d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1

10.0 / 10

EPSS

71.6%

chance of exploitation in 30 days

Higher than 99% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Actively Exploited

Sophistication

Trivial

Exploitation Confidence

high

✓ CISA KEV (active exploitation confirmed)

○ Public PoC indexed (trickest/cve)

○ Nuclei detection template available

○ EPSS exploit prediction: 72%

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Changed

C High

I High

A None

What should I do?

6 steps

PATCH NOW

Upgrade to n8n 1.121.0—only complete fix. No workaround fully mitigates without losing form workflow functionality.
ISOLATE

If patching is blocked, immediately restrict network access to n8n (firewall/WAF) or disable form-triggered workflows at the application level.
ASSUME BREACH—ROTATE ALL CREDENTIALS: Treat every secret on the n8n host as compromised—rotate LLM API keys (OpenAI, Anthropic, etc.), database passwords, webhook tokens, cloud IAM credentials, and n8n encryption keys.
HUNT FOR EXPLOITATION

Search access logs for form endpoint requests containing path traversal patterns ('../', '%2e%2e', '..%2f') or returning anomalously large response bodies. Correlate with unusual outbound connections from the n8n host.
SCAN EXPOSURE

Use asset inventory or Shodan to enumerate internet-facing n8n instances across your estate—shadow IT deployments are a likely blind spot.
POST-PATCH HARDENING: Enable authentication on all n8n form triggers, run n8n as a least-privilege user, and ensure secrets are injected at runtime (vault) rather than stored in files accessible by the process.

What does CISA's SSVC say?

Decision Track*

Exploitation none

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Code Execution Auth Bypass Agent Framework API AML.T0025 - Exfiltration via Cyber Means AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration AML.T0084 - Discover AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

6.1.2 - AI risk assessment

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place to maintain the AI system

OWASP LLM Top 10

LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-21858?

CVE-2026-21858 is a CVSS 10.0 unauthenticated path traversal in n8n (versions 1.65.0–1.120.x) that lets any internet attacker read—and likely write—arbitrary files on your server through public form-based workflow endpoints. If you run n8n to orchestrate AI agents, your LLM API keys (OpenAI, Anthropic, etc.), agent configurations, and every secret on that host are fully exposed. Patch to 1.121.0 immediately; if you cannot, take n8n offline and rotate every credential the host could access.

Is CVE-2026-21858 actively exploited?

Yes, CVE-2026-21858 is confirmed actively exploited and listed in CISA Known Exploited Vulnerabilities catalog.

How to fix CVE-2026-21858?

1. PATCH NOW: Upgrade to n8n 1.121.0—only complete fix. No workaround fully mitigates without losing form workflow functionality. 2. ISOLATE: If patching is blocked, immediately restrict network access to n8n (firewall/WAF) or disable form-triggered workflows at the application level. 3. ASSUME BREACH—ROTATE ALL CREDENTIALS: Treat every secret on the n8n host as compromised—rotate LLM API keys (OpenAI, Anthropic, etc.), database passwords, webhook tokens, cloud IAM credentials, and n8n encryption keys. 4. HUNT FOR EXPLOITATION: Search access logs for form endpoint requests containing path traversal patterns ('../', '%2e%2e', '..%2f') or returning anomalously large response bodies. Correlate with unusual outbound connections from the n8n host. 5. SCAN EXPOSURE: Use asset inventory or Shodan to enumerate internet-facing n8n instances across your estate—shadow IT deployments are a likely blind spot. 6. POST-PATCH HARDENING: Enable authentication on all n8n form triggers, run n8n as a least-privilege user, and ensure secrets are injected at runtime (vault) rather than stored in files accessible by the process.

What systems are affected by CVE-2026-21858?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM orchestration pipelines, RAG pipelines, workflow automation, multi-tool AI agents.

What is the CVSS score for CVE-2026-21858?

CVE-2026-21858 has a CVSS v3.1 base score of 10.0 (CRITICAL). The EPSS exploitation probability is 71.65%.

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM orchestration pipelinesRAG pipelinesworkflow automationmulti-tool AI agents

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means

AML.T0037 Data from Local System

AML.T0049 Exploit Public-Facing Application

AML.T0055 Unsecured Credentials

AML.T0083 Credentials from AI Agent Configuration

AML.T0084 Discover AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: 6.1.2

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

n8n is an open source workflow automation platform. Versions starting with 1.65.0 and below 1.121.0 enable an attacker to access files on the underlying server through execution of certain form-based workflows. A vulnerable workflow could grant access to an unauthenticated remote attacker, resulting in exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage. This issue is fixed in version 1.121.0.

Exploitation Scenario

An attacker scans for internet-facing n8n instances using Shodan (trivial—n8n exposes identifiable HTTP headers). They identify a public form-based workflow endpoint requiring zero authentication. By submitting a crafted form payload embedding path traversal sequences (e.g., '../../../../opt/n8n/.env' or '../../../../proc/1/environ'), the server returns the n8n environment file containing OPENAI_API_KEY, ANTHROPIC_API_KEY, N8N_ENCRYPTION_KEY, and database connection URLs. With stolen LLM API keys, the attacker hijacks inference capacity for their own operations (cost fraud, data exfiltration via LLM). With database credentials, they pivot to the vector/RAG database and exfiltrate the organization's proprietary knowledge base. The write primitive implied by I:H further allows injection of malicious nodes into workflow definitions—creating a persistent backdoor that executes on every automation run, completely transparent to operators.

Weaknesses (CWE)

CWE-20 Improper Input Validation

CWE-20 — Improper Input Validation: The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

[Architecture and Design] Consider using language-theoretic security (LangSec) techniques that characterize inputs using a formal language and build "recognizers" for that language. This effectively requires parsing to be a distinct layer that effectively enforces a boundary between raw input and internal data representations, instead of allowing parser code to be scattered throughout the program, where it could be subject to errors or inconsistencies that create weaknesses. [REF-1109] [REF-1110] [REF-1111]
[Architecture and Design] Use an input validation framework such as Struts or the OWASP ESAPI Validation API. Note that using a framework does not automatically address all input validation problems; be mindful of weaknesses that could arise from misusing the framework itself (CWE-1173).

Source: MITRE CWE corpus.